Search Knowledge Base

Type:

Summary:

The following script can be used as an “Auto Exec” script inside SQL to confirm that the instance has been properly secured, or that the encryption keys have been passed to SQL when SQL started.

Additional Information:

The following script will generate an alert upon SQL Startup if the instance was not properly secured or if the key was not passed to the secured SQL instance when the instance was started.We recommend always using it in connection with Column Encryption. Note: you must have installed the Encryptionizer APIs in order to run it.

Below are some of the reasons the encryption keys have not been passed to the SQL instance, here are a few:

The NetLib Key Management Service (nlcbtask) is not running.

Used the “Store Key to Alternate Location”, but the alternate location is not accessible or the NetLib Key Management Service does not have permission to access the alternate location. See KB 240040.

The instance was secured while a User Key Master Key (UKMK) was in place but the UKMK was cleared or changed.

The SQL instance was secured with the Lock Key To Machine feature, but the hardware characteristics of the machine have changed. This could be caused by restoring an image of machine on other hardware, or changing the name of the machine, etc.

The SQL instance was secured with the Master Must Be Encrypted option, but the Master is not encrypted.